Estaba teniendo un consumo de CPU muy alto en mi servidor Ubuntu, y la mayoría de mis sitios web Apache estaban caídos.
Acabo de comprobar los registros de Apache en /var/log/apache2 y vi que había alguien haciendo un ataque xmlrpc a mis sitios WordPress.
54.38.157.178 - - [01/Oct/2018:11:28:18 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 54.38.157.178 - - [01/Oct/2018:11:28:18 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 54.38.157.178 - - [01/Oct/2018:11:28:19 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 54.38.157.178 - - [01/Oct/2018:11:28:18 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 54.38.157.178 - - [01/Oct/2018:11:28:18 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 54.38.157.178 - - [01/Oct/2018:11:27:27 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 54.38.157.178 - - [01/Oct/2018:11:27:54 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 54.38.157.178 - - [01/Oct/2018:11:28:00 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 54.38.157.178 - - [01/Oct/2018:11:27:30 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
La forma más rápida de detenerlo sería simplemente bloquear ese archivo en el servidor Apache.
Continuar leyendo “Block xmlrpc.php on Apache for all Domains on Ubuntu”